What is PA-DSS?
The Payment Application Data Security Standards (PA-DSS) are the PCI Security Standards Council managed program that payment applications are to follow so that merchants using those applications can be PCI-DSS compliant. The PA-DSS standards are derived from the PCI Data Security Standards (PCI-DSS) to which all credit card merchants must adhere. PA-DSS is applicable to software vendors who develop payment applications that store, process, or transmit cardholder data as part of authorization or settlement.
The PA-DSS was formerly under the supervision of the Visa program known as the Payment Application Best Practices (PABP).
Why should you care?
Unfortunately, it is an all too common headline to read of a merchant whose system was compromised and thousands of their customers’ credit card numbers have been stolen. So far this year there have been more than 300 reported data breaches with more than 13 million records exposed. You can see the full listing here.
To combat this problem, the credit card companies formed the Payment Card Industry (PCI) Security Council, who developed the PCI Data Security Standards (DSS). Merchants who are not PCI-DSS compliant can be fined thousands of dollars per month, and if there is an actual security breach they can be fined hundreds of thousands of dollars.
Furthermore, Visa has mandated that all its merchants be using PA-DSS validated payment applications by July 1, 2010.
TMA Resources hired an independent 3rd party who is one of PCI’s Payment Application Qualified Security Assessors (PA-QSAs) to validate that Personify conformed to the PA-DSS. This was a major undertaking and took almost a year to complete.
Currently, TMA Resources is the only Association Management Software (AMS) vendor to go through this process and have its products listed on the PCI Web site as a PA-DSS Validated Payment Application. Leveraging PA-DSS validated payment applications will assist associations in achieving PCI compliance (PCI DSS) requirements for their organization.
The list of validated applications can be found here.
For PA-DSS, we do not store credit card numbers. So even if your system is breached there are no credit cards in the database to be stolen.